You can configure Administration Console as a remote audit server for syslog. By default, audit logs are sent to /var/log/NAM_Audits.log. rsyslog provides various options and macros for Administration Console to accept logs over UDP and TLS over TCP.
Perform the following steps to use Administration Console as a remote audit server using UDP and TLS over TCP:
To load the required module for rsyslog for receiving messages using UDP, perform the following steps:
Edit nam.conf and namMultiTarget.conf of Administration Console working as the remote audit server and add the following entries:
$ModLoad imudp # load UDP module $UDPServerRun <port number> # UDP connection port
For information about how to modify a file, see Modifying Configurations.
Restart the rsyslog service.
Add the following macros to nam.conf and namMultiTarget.conf of Administration Console working as the remote audit server:
$DefaultNetstreamDriver gtls $DefaultNetstreamDriverCAFile <remote peer's CA certificate filepath> $DefaultNetstreamDriverCertFile <public key certifcate filepath> $DefaultNetstreamDriverKeyFile <private key file> $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode $InputTCPServerStreamDriverAuthMode <mode> $InputTCPServerStreamDriverPermittedPeer <permitted peer ID>
In $InputTCPServerStreamDriverAuthMode <mode>, you can specify one of the following authentication modes for validating a remote peer:
anon: Anonymous authentication. It does not allow authenticating a remote peer.
x509/certvalid: Certificate validation only.
x509/name: Certificate validation and subject name authentication.
In $InputTCPServerStreamDriverPermittedPeer <permitted peer ID>, specify remote peer’s identifier. Connections from only these peers are accepted. You can set PermittedPeer to a single peer or an array of peers of type IP or name, depending on the TLS certificate. For example,
Single peer: InputTCPServerStreamDriverPermittedPeer ”127.0.0.1”
Array of peers: InputTCPServerStreamDriverPermittedPeer [“test1.ex.net”,”10.1.2.3”,”*.ex.net”]
If array syntax does not work, configure each entry individually.
A sample nam.conf file:
$DefaultNetstreamDriverCAFile /tmp/client_CA.pem $DefaultNetstreamDriverCertFile /tmp/server_Cert.pem $DefaultNetstreamDriverKeyFile /tmp/Server_Key.pem $ModLoad imtcp # load TCP listener $InputTCPServerRun 1290 $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode $InputTCPServerStreamDriverAuthMode x509/name $InputTCPServerStreamDriverPermittedPeer 164.100.150.10 $template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3164% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n" local0.* -/var/log/NAM_audits.log;ForwardFormat
Restart the rsyslog service.